fix: load the system cert pool in multistage build

yasinmiran · yasinmiran · commit 3c377530a2dd · 2025-06-26T11:00:53.000+02:00
diff --git a/e2eTests/docker-compose.template.yml b/e2eTests/docker-compose.template.yml
@@ -142,6 +142,7 @@ services:
       - LEGA_MQ_QUEUE=<<INTERCEPTOR_LEGA_MQ_QUEUE>>
       - ENABLE_TLS=<<INTERCEPTOR_ENABLE_TLS>>
       - CA_CERT_PATH=<<INTERCEPTOR_CA_CERT_PATH>>
+      - DEBUG=true
     volumes:
       - interceptor-certs:/certs
 
diff --git a/services/mq-interceptor/Dockerfile b/services/mq-interceptor/Dockerfile
@@ -1,20 +1,22 @@
-FROM docker.io/library/golang:1.24 AS builder
+FROM golang:1.24 AS builder
 
-ENV GOPATH=$PWD
 ENV CGO_ENABLED=0
 ENV GOPROXY=direct
 
+WORKDIR /app
 COPY . .
 
-RUN go build
+RUN go build -o mq-interceptor ./main.go
 
-RUN echo "nobody:x:65534:65534:nobody:/:/sbin/nologin" > passwd
+# Optional: create passwd for non-root user
+RUN echo "nobody:x:65534:65534:nobody:/:" > /app/passwd
 
-FROM scratch
+# ---- Final stage ----
+FROM gcr.io/distroless/static:nonroot
 
-COPY --from=builder /go/passwd /etc/passwd
-COPY --from=builder /go/mq-interceptor ./mq-interceptor
+COPY --from=builder /app/mq-interceptor /
+COPY --from=builder /app/passwd /etc/passwd
 
 USER 65534
 
-ENTRYPOINT [ "/mq-interceptor" ]
+ENTRYPOINT ["/mq-interceptor"]
diff --git a/services/mq-interceptor/main.go b/services/mq-interceptor/main.go
@@ -255,13 +255,29 @@ func selectEgaIdByElixirId(elixirId string) (egaId string, err error) {
 }
 
 func getTLSConfig() *tls.Config {
+	debug := os.Getenv("DEBUG") == "true"
 	caCertPath := os.Getenv("CA_CERT_PATH")
 	if caCertPath == "" {
-		log.Println("CA_CERT_PATH environment variable not set, using default TLS configurations")
+		if debug {
+			log.Println("CA_CERT_PATH not set, using system cert pool")
+		}
+		systemPool, err := x509.SystemCertPool()
+		if err != nil {
+			log.Printf("WARNING: Failed to load system cert pool: %v", err)
+			return &tls.Config{InsecureSkipVerify: false}
+		}
+		if debug {
+			log.Println("System cert pool loaded (cannot list subjects due to security).")
+		}
 		return &tls.Config{
+			RootCAs:            systemPool,
 			InsecureSkipVerify: false,
 		}
 	}
+	// Load custom CA from path
+	if debug {
+		log.Printf("Using CA certificate from path: %s", caCertPath)
+	}
 	caCert, err := os.ReadFile(caCertPath)
 	if err != nil {
 		log.Fatalf("Failed to read CA certificate: %v", err)
@@ -270,6 +286,9 @@ func getTLSConfig() *tls.Config {
 	if !caCertPool.AppendCertsFromPEM(caCert) {
 		log.Fatal("Failed to add CA certificate to pool")
 	}
+	if debug {
+		log.Println("Custom CA certificate loaded and added to pool")
+	}
 	return &tls.Config{
 		RootCAs:            caCertPool,
 		InsecureSkipVerify: false,
